Java
Guillermo Castro  

Handling sensitive data using Maven

I read some time ago about a developer who mistakenly pushed his AWS keys to a public Github repository and ended up with a big bill as hackers used his credentials to create EC2 instances to mine for bitcoins. The worst part is that it wasn’t entirely his fault, as the Github plugin for Visual Studio had a bug that pushed changes he made to a private repository into a public one. And his isn’t the only case. There are several instances where developers push AWS keys and other sensitive information like DB usernames and passwords to a repository, and hackers are constantly querying github and other source repositories for this information. Ideally, this information shouldn’t be part of the project files.

When I use Maven, I hide this data by having my key or password information stored in my settings.xml file under system properties, which I then inject in my integration tests. That way, the sensitive information is decoupled from the project files, and there is less chance for the data to make it to a public repository. For example:

settings.xml

<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
  <profiles>
    <profile>
      <id>default</id>
      <properties>
        <db.username>username</db.username>
        <db.password>secret</db.password>
      </properties>
    </profile>
  </profiles>
</settings>

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <build>
        <plugins>
            <plugin>
                <artifactId>maven-failsafe-plugin</artifactId>
                <configuration>
                    <systemPropertyVariables>
                        <db.username>${db.username}</db.username>
                        <db.password>${db.password}</db.password>
                    </systemPropertyVariables>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

SampleIT.java

package org.javageek.test;

import org.junit.BeforeClass;

public class SampleIT {
    @BeforeClass
    public static void setUp() {
        String username = System.getProperty("db.username");
        String password = System.getProperty("db.password");

        // Setup DB connections here
    }
}

Since the settings.xml file is stored outside of the project files, there is a better chance that the data won’t make it to the repositories. However, if more than one person is working on the project, they also need to configure their settings.xml file, so be sure to include this info in the readme for the project, otherwise the integration tests will fail.

What other methods do you use to handle sensitive information?

1 Comment

  1. Luis

    This is depricarted…. This should be update:

    https://maven.apache.org/surefire/maven-surefire-plugin/examples/system-properties.html

    systemPropertyVariables
    This configuration is the replacement of the deprecated systemProperties

Leave a Reply